- 101
- These are slimmed down payload types based on the existing C#, Go, Nim and Python payloads, available at https://github.com/orgs/MythicAgents/repositories.
- Goal of this repo is to to be bare-bones examples of the payloads, implementing one or two operator exposed functions, tasking, and HTTP/S Comms.
- Idea is to demonstrate what a simple, working payload looks like, along with providing a possible base for additional modifications and additions. This is to help with others in learning how to write a sample C2 agent, following an established model, with extensibility.
- Each of the payloads have had their folder setup appropriately, such that you can clone/download this repo, and point mythic to any of the contained folders.
- The designated payload should load without any issues.
- Boa
- Execution Flow
- Dog
- Execution Flow
- Frog
- Execution Flow
- Ode
- This is a fork/slimmed version of Atlas. (https://github.com/MythicAgents/atlas)
- Execution Flow
- Execution Starts in
Main()inProgram.cs - One function is immediately called,
Utils.GetServers();- This function's execution chain ends with a list of servers being added to the
Config.Serverslist
- This function's execution chain ends with a list of servers being added to the
- The next step is a compile-time flag seeing whether to validate the TLS certificate on callback.
- Next up is a while loop, that checks for if the
HTTP.CheckInfunction returns false, and if so, generates an int and sleeps for that amount of time.while (!Http.CheckIn())- Evals whetherHttp.CheckIn()returns true.
- After the
HTTP.CheckInis eval'd, aJobListobject is created, fromMessages.JobList. This sets the internal varjob_countto 0, andjobs{}as an array.Messages.JobList JobList = new Messages.JobList- This creates the List object
jobspublic List<Job> jobs { get; set; }
- This object also contains a function called
JobList()- This function creates a new variable
jobswith the value ofnew List<Job>()
- This function creates a new variable
- Finally, we have a while loop
while (true), which performs 3 tasks:Dispatch.Loop(JobList);- This function, as the name implies, first performs an
if/elsecheck regarding the current date, and should that be satisfied, continues on to:- Retrieve tasking using
Http.GetTasking(JobList); - Perform said tasking using:
StartDispatch(JobList); - Returns the results of task execution to the Mythic server:
Http.PostResponse(JobList);
- Retrieve tasking using
- This function, as the name implies, first performs an
int Dwell = Utils.GetDwellTime();GetDwellTime()- Creates a high and low number using
Config.Sleep + (Config.Sleep * (Config.Jitter * 0.01))andRandom()to pick a 'random' number for each one.int Dwell = random.Next(Convert.ToInt32(Low), Convert.ToInt32(High));
- Then multiplies the result by
1000, and returns that as the value forDwell
System.Threading.Thread.Sleep(Dwell);- Self-explanatory, process 'sleeps' for the
Dwelltime value established above.
- Self-explanatory, process 'sleeps' for the
- Execution Starts in
- Understanding Tasking of Ode
1. Tasking occurs During Step 6 above, specifically with the
Dispatch.Loop(JobList);function. 2.
rmusser01 / poc-mythic-payloads Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent